Dial Backup for IPSec Tunnels

Network availability in a VPN environment can be significantly enhanced through support of redundant communications links, either in the form of VPNs through other ISPs or, as discussed in this article, via dial backup.

This article demonstrates one way that the concepts developed in the author's book High Availability Networking with Cisco (Addison-Wesley, 2001, ISBN 0-201-70455-2) can be adapted to other applications.

Building a virtual private network (VPN) using IP Security Protocol (IPSec)
tunnels is a popular cost-saving approach to wide area networking. One disadvantage
of using a VPN is the lack of tools to provide resilience in the face of router,
firewall, or network failure. The challenge is to detect failure of an IPSec
tunnel so that an alternate route can be used. This article looks at how the
Border Gateway Protocol (BGP), normally associated with routing between routing
domains on the Internet, can be used to drive ISDN dial backup in a VPN using
firewalls to provide an IPSec tunnel between LANs at two locations.

Background

VPNs are growing in popularity due to their ability to reduce WAN costs. Tempering
this growth trend is the difficulty of providing useful redundancy so that network
operations can continue uninterrupted despite failures that disrupt the ability
of a particular link to carry traffic.

The underlying challenge is that useful redundancy requires the ability to
detect when a link is down so that an alternate link, such as dial backup, can
be used. If a failed link is not detected, it becomes a black hole for all traffic
attempting to use that link.

Interior gateway protocols such as RIP, OSPF, and Cisco's EIGRP assume that
routing exchanges are always between routers on a common subnetwork. While there
is considerable flexibility in the choice of underlying subnetworks, ranging
from Ethernet LANs to ATM and frame relay WANs, there is no provision for supporting
neighbor relationships between routers that are not on the same IP subnetwork.
In a VPN where the connectivity is via IPSec tunnels, this adjacency requirement
is no longer satisfied, and configurations suitable for point-to-point or LAN
links won't work.

Adding to the confusion are the many different ways that a VPN can be implemented.
While all approaches may provide similar functionality to the end user, they
can be very different from the point of view of the routers trying to establish
and maintain reliable communications. Even a decision as rudimentary as whether
the IPSec tunnels terminate on the firewalls or on the inside routers can fundamentally
change the available solutions.